Description
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated cloning of surveys via CSRF leading to data duplication and potential disclosure
Action: Patch
AI Analysis

Impact

The SurveyJS Drag & Drop WordPress Form Builder contains a CSRF vulnerability due to missing or incorrect nonce validation on the SurveyJS_CloneSurvey AJAX action. An attacker can send a forged request that, when an administrator clicks a link or visits a malicious page, causes the site to duplicate a survey without the administrator’s consent. The result is unauthorized replication of survey definitions, potential exposure of sensitive respondent data, and clutter of the site with unwanted copies.

Affected Systems

The vulnerability affects all versions of devsoftbaltic’s SurveyJS Drag & Drop Form Builder up to and including 2.5.2. WordPress sites that have installed any of these plugin versions are susceptible; site administrators who grant media or form creation privileges are at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to lure an administrator into performing the clone form action, typically via social engineering or a malicious link. Once triggered, the attacker can duplicate surveys and thereafter use or delete them as desired.

Generated by OpenCVE AI on April 21, 2026 at 00:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SurveyJS plugin to any release newer than 2.5.2 that implements proper nonce validation on the clone survey AJAX action.
  • Configure the SurveyJS_CloneSurvey AJAX endpoint to accept requests only from users with administrator capability, adding a capability check in the plugin’s code or via a custom function hooked to the AJAX action.
  • Adopt multi‑factor authentication for administrator accounts and limit the use of the cloning feature to trusted personnel to reduce the risk of social‑engineering attacks.

Generated by OpenCVE AI on April 21, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Cloning SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 2.5.2 - Cross-Site Request Forgery to Survey Cloning

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Devsoftbaltic
Devsoftbaltic surveyjs Drag Drop Wordpress Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Devsoftbaltic
Devsoftbaltic surveyjs Drag Drop Wordpress Form Builder
Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Cloning
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Devsoftbaltic Surveyjs Drag Drop Wordpress Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:53.596Z

Reserved: 2025-11-14T17:24:30.640Z

Link: CVE-2025-13205

cve-icon Vulnrichment

Updated: 2026-01-26T15:29:24.948Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:51.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses